b"        AUDIT REPORT \n\n          AUDIT OF THE \n\nSMITHSONIAN INSTITUTION NETWORK \n\n  INFORMATION SYSTEM CONTROLS \n\n            Number A-04-05 \n\n\n             January6,2005 \n\n\n\n\n\n0     Srnithsonian Institution \n\n       Office of Inspector General\n\x0c                                        SUMMARY\nThe Office of the Inspector General audited Smithsonian Institution (SI) network\ninformation system controls. The purpose of the audit was to evaluate SI information\nsystem controls for system access, network security, and operating and application system\nconfigurations.\n\nThe following points were considerations throughout our audit: Adequate security of\ninformation and the systems that process it is a fundamental management responsibility.\nOf necessity, management must strike a reasonable balance between information\ntechnology security and operational capability because some controls impede operations.\nIt is Smithsonian policy, as well as good business practice, that controls be established to\nmaintain accountability for the custody and use of resources and to provide reasonable\nassurance that assets are safeguarded against loss or unauthorized use.\n\nOur review identified network access control security weaknesses within the\nSmithsonian's publicly accessible network, as well as opportunities to strengthen system\nconfigurations for network devices, Windows, and UNIX operating systems and Oracle\ndatabase applications.\n\nWe recommended that the Chief Information Officer establish a process for performing\nperiodic network vulnerability scans of its secure, publicly accessible network; correct\nserver and workstation security holes and close unnecessary network open ports and\navailable services; and ensure network devices, operating systems, and database\napplications are securely configured to industry standards.\n\nThe Chief Information Officer concurred with our recommendations and provided\nimplementation plans. We believe that these implementation plans are responsive to our\nrecommendations.\n\x0c                                                 TABLE OF CONTENTS\n\n\n\n1. Introduction ..................................................................................................................................... 1 \n\n\n        A. Purpose .................................................................................................................................... 1 \n\n\n        B. Scope and Methodology ........................................................................................................1 \n\n\n2, Results of Audit ...............................................................................................................................2 \n\n\n        A. Review of Publicly Accessible Network Controls                                ................................................................2 \n\n        B. Review of Operating Systems and Oracle Database Application Security\n        Configurations .............................................................................................................................7 \n\n\nAppendix A. Policies and Industry Standards.................................................................................. 12 \n\n\nAppendix B. Management Comments ............................................................................................. 15 \n\n\n                                    ABBREVIATIONS AND ACRONYMS\n\nNIST                   National Institute of Standards and Technology\nOCIO                   Office of the Chief Information Officer\nSANS                   SysAdmin, Audit, Network, Security Institute\nSI                     Smithsonian Institution\nSIRIS                  Smithsonian Institution Research Information System\n\n\n\n\n                                                                     iii\n\x0c                                   INTRODUCTION\n\nA. Purpose\n\nThe purpose of the audit was to evaluate SI information system controls for system access,\nnetwork security, and operating and application system configurations.\n\nB. Scope and Methodolow\n\nThe audit was conducted from November 14,2003,to December 3,2004, in accordance\nwith generally accepted government auditing standards.\n\nThe audit methodology consisted of the following:\n\n       Identifying and reviewing applicable Institution policies and procedures related to\n       general system controls, computer system security, and integrity of computer\n       resources.\n       Comparing SI system security settings with industry and Institution standards.\n       Evaluating controls meant to safeguard and protect networks.\n       Assessing the adequacy of controls meant to prevent and detect unauthorized\n       activities.\n       Utilizing guidance issued by the Smithsonian Office of the Chief Information\n       Officer (OCIO),National Institute of Standards and Technology (NIST),National\n       Security Agency, and Microsoft Corporation relating to system security\n       configuration.\n\nOur review also included interviews with SI technology staff, through which we gained an\nunderstanding of the practices employed concerning system configuration, network\nsecurity, and system access.\n\x0c                                       RESULTS OF AUDIT\n\nA. Review of Publicly Accessible Network Controls\n\nSI network security controls can be strengthened. Specifically, opportunities exist to\nstrengthen controls over network access and configuration settings for network devices.\nDuring the audit, OCIO recognized that improvements were needed and has since begun\naddressing these weaknesses. Until all weaknesses are addressed and corrective plans are\nin place, SI computers residing on the SI network are at risk of unauthorized access,\ndenial of services, and the unnecessary disclosure of Smithsonian computer system\nresources information.\n\nDetails of Review\n\nAs part of our network control testing, we performed external and internal network\nvulnerability scanning of the SI's secure, publicly accessible network, and other critical\nSI servers. In addition, we evaluated SI network routers and the primary SI firewall\nconfiguration against industry security standards.' From our testing, we determined that\nSI does have network monitoring controls in place. In addition, our testing determined\nthat network access controls could be strengthened to reduce risks such as the\nunnecessary disclosure of system information. Also, our router and firewall\nconfiguration reviews identified that some configuration modifications could strengthen\nSI network access controls.\n\nNetwork\n\nAs part of our network access control testing, we performed network scans on the internal\nSmithsonian network and externally from the Internet. In addition, we performed\nspecific network reviews of web servers. From our testing, we identified network\nweaknesses from the external and internal assessments.\n\nExternal. We performed external network scans of selected Smithsonian Internet\naddresses, including the Smithsonian domain name servers2 In addition, we identified\nthe Smithsonian network domain name servers and attempted to determine if a common\ndiscovery vulnerability of Smithsonian computer names and addresses, known as a zone\ntransfer, was possible. Our tests were successful in performing a recursive domain name\naddress query. Zone transfers and recursive queries should be prevented because, if\nsuccessful, the results disclose the names and network addresses of the computers and\nnetwork devices residing on the network. Knowing the name and network addresses\ngives an unauthorized user inside information on the network topology naming\nconvention, and therefore possibly the purpose of the computers.\n\n\n\n' Appendix A contains a summary of policies and industry security standards used during this audit.\n The domain name servers' function is to manage and administer the computer names and addressing for\nefficient communication across a network. The Smithsonian domain name servers contain approximately\n12,000 computers.\n\x0cFrom our internal network scans we selected 44 computers that had a range of security\nholes and vulnerabilities. We also selected specific ports used on the Internet to target\nfrom outside the Smithsonian network to determine if the same security holes and\nvulnerabilities were discoverable. Our testing was successful in identifying 38 of the 44\ncomputers from the Internet and 98 security holes. The majority of these security holes\ndealt with common web server weaknesses related to ports 80,443, and 8080. The six\nremaining computers were successfully filtered by the network firewall.\n\nIn addition to an external network scan, we browsed the computers using an internet\nbrowser (Microsoft's Internet Explorer, for example) to evaluate the type of information\nthat could be gleaned from them. The browser tests determined that there were numerous\nsystems that leaked system information such as type of server, web application and\nversion, error pages, and browse file directories. The leaking of this type of information\nis a risk and vulnerability in that unauthorized users of the systems could research and\nexploit any weaknesses discovered. For example, the Smithsonian Institution Research\nInformation System (SIRIS) Image Server contains various files, directories, and links to\nanother SIRIS system. Following the link, we determined that there were 179 pages of\nimages and files that are downloadable without explicit permissions or adherence to the\nSmithsonian Copyright statement. In addition, the SIRIS directory structure is\nidentifiable, including a listing of other Smithsonian computer addresses. Also, we\ndiscovered a web server used as a test archive server for which we could not ascertain its\nuse or function. The web server's main page states it is used for E-Prints archiving.\n\nInternal. Internally, we concentrated our testing on the Smithsonian secure public\nnetwork known as the DMZ (demilitarized zone). The secure public network contains\nthose web servers that communicate to the public through the Internet. Our web server\ntesting identified weaknesses in network access, information leakage from a common\ngateway interface, default page displays, and files containing an account name and\npassword. The following table summarizes our web server reviews.\n\n                         Web Server Review Summary (19 Servers)\n                                     Finding Type\n        HTTP' Login and Other Remote Access Logins: This includes\n        web pagesthat permit users to login into th;e web server.\n                                                                            ( Total\n                                                                            1 13      1\n        CGI~  Script Access: This includes default common gateway               3\n\n      1 interface iest scripts, which should be removed. unnecessary test I\n        scripts increase the vulnerability that the scripts can be executed\n        andpossibly allow unauthorizeh access to the web server.\n                                                                           I          1\n        DefaultIError Pages: These pages disclose unnecessary                   3\n\n\n      1\n        information abo;t the web server such as web application, file\n        transfer protocol, and version. This information allows\n        unauthorized users to develop vulnerabilities.\n                                                                           1          1\n      , Source Code Disclosure: This included discoverv of s a m ~ l e          2\n        directories and web server code that could lead tb exploiiation or\n      , disabling of the web services.\n\n\n HyperText Transfer Protocol\n Common Gateway Interface\n\x0cAlso, analyses of our network scans of the secured public network identified 228 hosts\nwith a total of 162 security holes and 809 securitywarnings.' The majority of these\nweaknesses stem from ports 80,443, and 22, as well as from outdated versions of software,\nfailure to apply patches and possible default installations. These ports are used for web\nservices and file transfer purposes.\n\nRouters and Firewall Conjguration\n\nAs part of our network assessment we evaluated two network devices, the Smithsonian\ncore router (ai-corel) and the primary internet firewall (ai-inetl). While performing the\naudit, the Office of the Chief Information Officer was in the process of replacing and\nupgrading its network devices. As a result, the findings presented are generic to a network\ndevice and apply to the functions that the router and firewall are performing and,\ntherefore, not directly related to the specific device vendor. From our network device\nconfiguration analyses, we determined that several services and configurations could be\nimproved and considered when implementing the latest network devices. For example,\nwe identified seven areas within the configuration of the devices where improvements\nshould be made.\n\n        The first area is remote management through simple network management\n        protocol or SNMP. Enhancements can be made on the access control lists that are\n        in place that would further restrict access to this protocol to only those specific\n        hosts that require it.\n        The second area is a common source of trouble that focuses on services that are\n        not necessary for daily operations of the network. Best practices suggest that if a\n        service is not necessary it should be disabled or removed.\n        The third area has to do with the Cisco authentication, authorization, and\n        accounting services and the ability to assign specific user rights to an individual.\n        These services help manage the level of privileges each administrator has on the\n        device.\n        The fourth area is remote administration via telnet. Whenever possible, remote\n        administration should be performed only through secure encrypted services. The\n        telnet service should be disabled and secure shell should be used in its place as a\n        means of secure authentication and administration.\n        The fifth area is the access control lists on the interface lines. This area is perhaps\n        the most critical because this is where the types of traffic allowed into and out of\n        the network are controlled. Specific access control lists need to be put in place\n        that will block known types of Internet-based attacks such as IP spoofing, and\n        distributed denial of service, and that will control which specific hosts have access\n        to resources within the protected network.\n        The sixth area is local management of the console and auxiliaryports of the\n        routers themselves. Specific access controls and session timeout values need to be\n        put in place to control who and what type of connection is allowed at these\n        locations.\n\n  A security hole is identified when information can be obtained that would permit an unauthorized user to\nread a file, determine the directory structure, or gain easy access to the system. A security warning is a\nmisconfiguration, known application, or software weakness that can be exploited.\n\x0c       The seventh and final area involves remote in-band management through the\n       virtual terminal lines. Specific access controls also need to be put in place that will\n       enforce accountability through individual logins, as well as define which hosts are\n       allowed to connect to device services.\n\nDuring the audit, OCIO staff recognized that improvements were needed and has since\nbegun addressing these weaknesses. For example, the network infrastructure is in the\nprocess of being upgraded into trusted zones, and a more robust firewall and intrusion\ndetection system are being installed. Additional staff has also been added to oversee and\nmonitor network security.\n\nUntil all weaknesses are addressed and corrective plans are in place, SI computers\nresiding on the SI network are at risk of unauthorized access, denial of services, and\nunnecessary information disclosure of Smithsonian computer system resources.\n\nConclusion\n\nBased upon our network reviews, we believe that the Office of the Chief Information\nOfficer can improve network security by introducing additional vulnerability assessments\nin its network administration. Implementing periodic security assessments can assist in\nidentifying weaknesses and preventing system compromises.\n\nRecommendations\n\n1. We recommended that the Chief Information Officer establish a process for\n   performing periodic network vulnerability scans of its secure public accessible\n   network.\n\nManagement Comments\n\nConcur. OCIO staff is currently analyzing alternative methods and products for\nperforming periodic network vulnerability scanning. OCIO plans to acquire a network\nscanning product in 2005. The process for performing periodic network vulnerability\nscanning will be defined in a Technical Note.\n\nTarget Completion Date: October 30,2005.\n\nOffice of the Inspector General Response\n\nWe believe the Chief Information Officer's planned actions, if implemented, are\nresponsive to the recommendation.\n\n\n2. We recommended that the Chief Information Officer review the identified open ports\n   and available services and close those that are deemed unnecessary.\n\x0cManapement Comments\n\nConcur. OCIO staff will review identified open ports and services and close those that are\ndeemed unnecessary.\n\nTarget Completion Date: April 30,2005.\n\nOffice of the Inspector General Response\n\nWe believe the Chief Information Officer's planned actions, if implemented, are\nresponsive to the recommendation.\n\n\n3. \t We recommended that the Chief Information Officer address and correct the server\n     and workstation security holes identified.\n\nManagement Comments\n\nConcur. OCIO staff will review the server and workstation security holes identified in the\nreport and correct those that have not already been corrected.\n\nTarget Completion Date: April 30,2005.\n\n\n4. \t We recommended that the Chief Information Officer review network device\n     configurations to ensure they are securely configured to industry standards.\nManagement Comments\n\nConcur. OCIO staff has reviewed network device configuration files to improve security.\nBeginning in 2005, OCIO will formally review all network device configuration files\ntwice a year or when major changes are made in the network devices. Procedures will be\ndefined and documented in a Technical Note.\n\nTarget Completion Date: April 30,2005.\n\nOffice of the Inspector General Response\n\nWe believe the Chief Information Officer's planned actions, if implemented, are\nresponsive to the recommendation.\n\x0cB. Review of Operating Svstems and Oracle Database Application Securitv\nConfigurations\n\nSI server operating and application system security configurations can be strengthened.\nSpecifically,both Windows and Solaris UNIX operating systems could be strengthened to\nindustry security standards. This condition exists partially because, at the time of our\ntesting, there were no specific technical configurations for UNIX operating system and\nOracle databases. Technical configuration standards have since been developed for UNIX\noperating systems and Oracle databases. In any event, the systems are vulnerable to\nunauthorized access and data integrity is at risk.\n\nDetails of Review\n\nAs part of our system security review we performed security configuration evaluations of\noperating systems, web service applications, and Oracle databases. From our evaluations\nwe determined that SI systems could be strengthened to meet industry security standards.\n\nOperating Systems\n\nWe compared server operating system configurations and settings against Smithsonian\nand industry standards and guidance. We assessed seven Windows servers and seven\nUNIX servers' operating systems against these standards. In addition, we used the SANS\nTop 20 Internet Security Vulnerabilities as a basis for our risk as~essment.~\n\nFor the Windows servers, our evaluation included assessing if security patches and\nhotfixes were installed and up-to-date for the Windows operating system and, if\napplicable, for Internet Explorer, Internet Information System, Microsoft Data\nComponent, and Microsoft Media Player. Our evaluations determined that of the 74\noperating system configuration tests performed, over 60 percent failed on each server.\nSpecifically, compared to the SANS Top 20 security risks, our analyses revealed that\nsecurity patches were not up-to-date; password policy was not being followed; registry,\ndirectory, and file permissions were not securely set; and that those servers with Internet\nInformation Services installed contained an arbitrary command execution vulnerability.\n\n\n\n\n The SANS (SysAdmin, Audit, Network, Security Institute) was established in 1989 as a cooperative\nsystem security and research and education organization. The SANS Top 20 vulnerability list for Windows\nand UNIX is composed of the 10 most commonly exploitable vulnerable services for both Windows and\nUNIX.\n\x0cThe following table summarizes our Windows operating system assessment.\n\n\n\n\n                                                 n with other events is high enough to cause a business disruption, if\n                                                 security to an acceptable level of risk.\n\n\n\n\nFor the UNIX servers (all were SUN Solaris UNIX versions), we used the UNIX Security\nChecklist from the Coordination Center at Carnegie Mellon Software Engineering\nInstitute as the industry standard for comparison. From our assessments, we determined\nthat the operating systems were not up-to-date with patches. In fact, all seven had\ninstalled patches that, according to the SUN Solaris website, were three months to a year\nout-of-date. In general, we found that numerous system services were operating at higher\nthan necessary privileges. For example, one of the production enterprise resource\nplanning servers had rlogin, shell, and uucp services7running as default, which is not\nrecommended. Other enterprise resource planning servers had numerous default open\nports and services enabled and were running with root permissions such as finger, login,\nshell, echo, discard, and chargen. The combination of these ports and services makes the\nsystem vulnerable to denial of service risks. One of the most severe vulnerabilities\ninvolving the enterprise resource planning servers is the ability for remote logon in the\nhighest privileged mode of root. Direct remote logon as root is strictly forbidden by\nindustry standards. Also, the UNIX operating system provides the enabling of password\npolicies; however, these security settings were not enabled or defined by Smithsonian\npassword policy of eight characters, but were set for six characters.\n\n\n7 The rlogin and rsh services establish a remote login session from trusted users without a password\nchallenge. These servers use inadequate authentication based on IP address security (which can be\nspoofed), domain name service security (which can be spoofed) and the notion of reserved ports (on UNIX\nsystems only user root can open the client port). The uucp is a Unix-to-Unix system copy server, which\nsupports networking over the network. It isused for file copying. It runs as user root and might be\ncompromised. If it is not needed it should be disabled.\n\x0cThe following summarizes the seven UNIX operating systems reviewed.\n\n\n\n\n   I(*)1: SIERP PD1,2: SIERP PA1,3: SIERP PA2,4: SIERP PA3,5: SIERP PA4,6: si-webmaiol, 7: si-webmail02   I\nOracle Database\n\nWe assessed the Oracle database that supports the enterprise resource planning system\nagainst industry security configuration standards. Our assessment included reviewing 51\nconfiguration settings. From our assessments, the Oracle configuration could be\nstrengthened with regard to logging, audit trails, and password encryption and\nlimitations. The following table represents a summary of the configuration tests.\n\x0cConclusion\n\nBased upon our operating system and database configuration reviews, we believe that the\nOffice of the Chief Information Officer can improve its system security configurations by\nintroducing additional vulnerability assessments in its system administration to assist in\nidentifying weaknesses and strengthening system security.\n\nRecommendations\n\n1. \t We recommended that the Chief Information Officer review the servers and\n     workstations to ensure that all patches and updates are installed for the operating\n     systems and applications.\n\nManaeement Comments\n\nConcur. OCIO staff will review identified servers and workstations to ensure that\nuninstalled patches and updates identified in the report have been corrected and take\naction to install patches and updates where needed.\n\nTarget Completion Date: April 30,2005.\n\nOffice of the Inspector General Response\n\nWe believe the Chief Information Officer's planned actions, if implemented, are\nresponsive to the recommendation.\n\n\n2. \t We recommended that the Chief Information Officer review the Windows and UNIX\n   servers to ensure the operating systems are securely configured to industry standards\n   and remove unnecessary services and ports.\n\nManagement Comments\n\nConcur. OCIO staff began reviewing Windows and UNIX server configuration files to\nimprove their security in September 2004. Beginning in 2005, OCIO will formally\nreview Windows and UNIX server configuration files twice a year or when major\nchanges are made. Procedures will be defined and documented in a Technical Note.\n\nTarget Completion Date: April 30, 2005.\n\nOffice of the Inspector General Response\n\nWe believe the Chief Information Officer's planned actions, if implemented, are\nresponsive to the recommendation.\n\x0c3. \t We recommended that the Chief Information Officer review the Oracle database\n     servers to ensure the database application is securely configured to industry standards.\n\n\nManagement Comments\n\nConcur. OCIO staff will review Oracle database servers to ensure that database\napplications are securely configured.\n\nTarget Completion Date: April 30,2005.\n\nOffice of the Inspector General Response\n\nWe believe the Chief Information Officer's planned actions, if implemented, are\nresponsive to the recommendation.\n\x0cAppendix A. Policies and Industry Standards\n\nWe evaluated SI system security from November 14,2003, through December 3,2004.\nWe used Smithsonian Directives as well as industry guidance and standards from the\nNIST, Government Accountability Office (formerly the General Accounting Office),\nNational Security Agency, and Microsoft Corporation. The evaluation included a review\nof server operating system configurations, web server application configurations,\ndatabases, user accounts, network ports, and vulnerable services.\n\nSmithsonian Directive 115, Management Controls, revised July 23, 1996, lists standards\nthat apply to all Institution units. The directive requires managers to take systematic and\nproactive steps to develop and implement appropriate, cost-effective management\ncontrols. These controls should provide reasonable assurance that assets are safeguarded\nagainst waste, loss, unauthorized use, and misappropriation.\n\nSmithsonian Directive 931, Use ofcomputers e+ Networks, August 5,2002, provides\nInstitution policy on computer safeguards to protect Smithsonian equipment and data.\nUsers are required to use safeguards that include having a password with at least eight\nalphanumeric and special characters. Passwords must not be found in a dictionary, easily\nguessed, or left in writing in the user's office. In addition, passwords should be changed\nevery ninety days and not reused.\nSmithsonian Institution Office of the Chief Information Officer Technical Note: IT-930-\nTN02, Auditing e+ Logging Procedures, September 8,2003, describes the configuration,\nsettings, size and frequency of log review for all auditable systems. This technical note\ncovers all network devices (e.g., routers, switches), network servers, file servers, database\nservers, application servers, firewalls and intrusion detection systems. The objective is to\nestablish a standard frequency for monitoring audit logs.\n\nSmithsonian Institution Office of the Chief Information Officer Technical Note: IT-930-\nTN04, Disabling and Deleting Dormant Accounts, August 27,2003, establishes procedures\nto be used to monitor and disable network accounts at the Smithsonian Institution which\nhave not been used within the last thirty days, and to delete accounts that have been\ndormant for 180 days.\n\nSmithsonian Institution Office of the Chief Information Officer Technical Note: IT-930-\nTN08, Implementing Vendor Software Patches/Fixes, August 27,2003, establishes that\nsystem administrators or designated technical staff are required to apply security patches\nor fxes in a timely manner. Patches must be installed on production within seven days of\nsuccessful completion of testing.\n\nSmithsonian Institution Office of the Chief Information Officer Technical Note: IT-930-\nTN10, Minimizing Access to Production Software and Data, August 27, 2003, establishes\nprocedures by which production data and software can be safeguarded from\nunauthorized access, modification, and deletion.\n\nSmithsonian Institution Office of the Chief Information Officer Technical Note: IT-930-\nTN12, Password Policy Compliance Testing, August 27, 2003, establishes procedures to be\nused to verify compliance with established password usage policies (SD 93 1, Use of\n\x0c Appendix A. Policies and Industry Standards (Continued)\n\n Computers e+ Networks) at the Smithsonian Institution. The goal is to establish a system\n of checks and reports that records and monitors the enforcement of password usage.\n\n Smithsonian Institution Office of the Chief Information Officer Technical Note, Windows\n 2000 Server Baseline Configuration /Build Notes Application Server Edition Version I . 1,\n November 4,2003, provides setup and configuration guidelines and baselines for the\n standalone Windows 2000 application servers used in the Smithsonian Institution web\n infrastructure. The purpose of this guidance is to serve as a step-by-step guide and check-\n list for building a well-configured and secure Windows 2000 Server with associated\n infrastructure applications.\n\n Computer Emergency Response Team, Carnegie Mellon Software, UNIX Security\n Checklist v2.0, October 8,2001, provides detailed steps to improve the security of Unix\n Operating Systems. It encourages system administrators to review all sections of this\n.\t\n document and if appropriate modify their systems accordingly to f~ potential\n weaknesses. If possible, apply this checklist to a system before attaching it to a network.\n In addition, it is recommended that the checklist be used on a regular basis as well as after\n installation of any patches or new versions of the operating system.\n\n General Accounting Office (now the Government Accountability Office), Financial\n Information Systems Control Audit Manual, January 1999, provides guidance in evaluating\n computer-related controls. The guidance describes access controls to provide reasonable\n assurance that computer resources are protected against unauthorized modifications,\n disclosure, loss, or impairment. Such controls include physical controls, such as locking\n computer rooms to limit access. Inadequate access controls diminish the reliability of\n computerized data and increase the risk of destruction or inappropriate disclosure of\n data.\n\n National Security Agency, Guide to SecuringMicroso)? Windows 2000 File and Disk\n Resources, April 19,2001, recommends that all volumes use new technology file system in\n order to achieve the highest level of security. Under Windows 2000, only new technology\n file system supports discretionary access control to the directories and files. New\n technology file system volumes provide secure and auditable access to the files.\n Therefore, any file allocation table partitions should be converted to new technology file\n system.\n\n NIST Special Publication 800- 18, Guide for Developing Security Plans for Information\n Technology Systems, December 1998, states that the objective of system security planning\n is to improve the protection of information technology resources. All federal systems\n have some level of sensitivity and require protection as part of good management\n practice. According to NIST, system security plans should document the protection of\n the system.\n\x0cAppendix A. Policies and Industry Standards (Continued)\n\nAdditionally, the completion of system security plans is a requirement of the Office of\nManagement and Budget Circular A- 130, Management of Federal Information Resources,\nAppendix 111, Security of Federal Automated Information Resources, and Public Law 100-\n235, Computer Security Act of 1987. The purpose of the security plan is to provide an\noverview of the security requirements of the system and describe the controls in place for\nmeeting those requirements. The system security plan also delineates the responsibilities\nand expected behavior of all individuals who access the system.\n\nNIST, Guidelines on Securing Public Web Servers, Special Publication 800-44, September\n2002, provides guidelines on securing both Apache and Internet Information Services web\nserver applications. The guidelines include installing permanent fixes (often called\npatches, hot fuces, service packs, or updates), and removing or disabling unnecessary\nservices and applications. Ideally, a Web server should be on a dedicated, single-purpose\nhost. Many operating systems are configured by default to provide a wider range of\nservices and applications than required by a Web server; therefore, a Web administrator\nshould configure the operating system to remove or disable unneeded services. Some\ncommon examples of services that should usually be disabled would include: Windows\nnetwork basic inputloutput system (NetBIOS); if not required, file transfer protocol;\ntelnet; simple management transfer protocol; and software development tools.\n\nNIST special publication, Generally Accepted Principles and Practices for Securing\nInformation Technology Systems, September 1996, provides instructions,\nrecommendations, and considerations for government computer security. According to\nthis publication, security policies and procedures should be in place to protect valuable\nresources, such as information, hardware, and software. The security program should\nallow for periodic assessments and should ensure that SI system administrators or system\nsecurity personnel understand their responsibilities.\n\x0cAppendix B. Management Comments\n\n\n          0     Smithsonian Institution\n                Office of the Chief Information Officer\n\n\n                DATE: \t       January 5,2005\n\n\n\n                FROM: \t       Dei111isShaw, Chicf Information Officer\n\n                CC: \t         S. Burke. B. Daniels\n\n                SUBJECT: \t    Response to the Dralt Report, Office of the Inspector General Audit A-04-\n                              05, Smithsonian lnstitution Nenvork\n\n                Thank you for the opportunity to comment on the draft audit repon on the Smithsonian\n                Institution Network. We agree that the Smithsonian Institution Netrvork (SInet)\n                security controls can be strengthened. Since the inception of this audit in November\n                2003 numerous improvements to network and IT infrastruclure security have been\n                implemented. Thc SInet is considerably more secure than when the audit began.\n\n                Planned actions and timclines for completing actions associated with each\n                recommendation are contained in the attachment. If you have any questions, please\n                contact me at 202-633-2800 or Bruce Daniels at 202-633-6000.\n\x0cAppendix B. Management Comments (continued)\n\n\n\n                                                                                            Attachment\n\n\n                             Smithsonian Institution Network Audit Recommendations\n\n\n               Issue 1: Publidy Accessible Network Controls\n\n               Recommendation 1: Establish a process for performing periodic network vulnerability\n               scans of its secure public accessible network.\n\n               Comment: Concur. OCIO is currently analyzing alternative methods and products for\n               performing periodic network vulnerability scanning. OCIO plans to acquire a network\n               scanning product in 2005. The process for perfonning periodic network vulnerability\n               scanning will he defined in a'l'echnical Note.\n\n               Target Completion Date: October 30,2005\n\n               Recommendation 2: Review theidentified open ports and available scrvices and close\n               those that are deemed unnecessary.\n\n               Comment: Concur. OCIO win review identified open ports and services and close those\n               that are deemed unnecessary.\n\n               Target Completion Date: April 30, 2005\n\n               Recommendation 3: Address and correct the server and workstation security holes\n               identified.\n\n               Comment: Concur. OCIO will review the server and workstation security holes\n               identified in the report and correct those that have not already been corrected.\n\n               Target Completion Date: April 30,2005\n\n\n                Recommendation 4: Review network device configurations to ensure they are securely\n                configured to industry standards.\n\n                Comment: OCIO has reviewed network device configuration files to improve security.\n                Beginning in 2005,OCIO will formally review all network device configuration files hvice\n                a ycar- or when major changes are made in the network dcvices. Procedures will be\n                defined and documented in aTechnica1 Notc.\n\n                Target Completion Date: April 30,2005\n\n                Issue 2: Operating Systems and Orade Database Application Security Configurations\n\n                Recommendation 1: Review the servers and workstations to ensure that all patches and\n\x0cAppendix B. Management Comments (continued)\n\n\n\n\n              updates are installed lor the operating systems and applications.\n              Comment: Concur. OClO will review identified servers and workstations lo ensure that\n              uninstalled patches and updates identified in the report have been corrected and take\n              action to install patches and updates where needed.\n\n              Target Completion Date: April 30.2005\n\n\n              Recommendation 2: Reviewthe Windows and UNlX servers to ensure the operating\n              systems are securely configured to industrystandards and remove unnecessary services\n              and ports.\n\n              Comment: OClO began rev~ewiogWindows and UNlX server configuration files to\n              improve their security in September 2004. Beginning in 2005, OCIO will formally review\n              Windows and UNXX server configuration files twicc a year- or when major changes are\n              made. Procedures will be defined and documented in a Technical Note.\n\n              Target Completion Date: April 30,2005\n\n               Recommendation 3: Review tbe Oracle database servers to ensure the database\n               application is securely configured to industrystandards.\n\n               Comment: OCIO will review Oracle database sevcrs to ensure that database applications\n               are securely configured,\n\n               Target Completion Date: April 30,2005\n\x0c"